CVE-2026-32750
published 2026-03-19CVE-2026-32750: SiYuan is a personal knowledge management system. In versions 3.6.0 and below, POST /api/import/importStdMd passes the localPath parameter directly to…
PriorityP339medium6.8CVSS 3.1
AVNACLPRHUINSCCHINAN
EPSS
0.43%
34.5th percentile
SiYuan is a personal knowledge management system. In versions 3.6.0 and below, POST /api/import/importStdMd passes the localPath parameter directly to model.ImportFromLocalPath with zero path validation. The function recursively reads every file under the given path and permanently stores their content as SiYuan note documents in the workspace database, making them searchable and accessible to all workspace users. Data persists in the workspace database across restarts and is accessible to Publish Service Reader accounts. Combined with the renderSprig SQL injection ( separate advisory ), a non-admin user can then read all imported secrets without any additional privileges. This issue has been fixed in version 3.6.1.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| b3log | siyuan | < 3.6.1 | 3.6.1 |
| github.com | siyuan-note_siyuan | 0 – 0.0.0-20260313024916-fd6526133bb3 | — |
| siyuan-note | siyuan | < 3.6.1 | 3.6.1 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
SiYuan importStdMd: unvalidated localPath imports arbitrary host directories as persistent notes in github.com/siyuan-note/siyuan
osv·2026-03-26
CVE-2026-32750 SiYuan importStdMd: unvalidated localPath imports arbitrary host directories as persistent notes in github.com/siyuan-note/siyuan
SiYuan importStdMd: unvalidated localPath imports arbitrary host directories as persistent notes in github.com/siyuan-note/siyuan
SiYuan importStdMd: unvalidated localPath imports arbitrary host directories as persistent notes in github.com/siyuan-note/siyuan
OSV
SiYuan importStdMd: unvalidated localPath imports arbitrary host directories as persistent notes
osv·2026-03-16
CVE-2026-32750 [MEDIUM] SiYuan importStdMd: unvalidated localPath imports arbitrary host directories as persistent notes
SiYuan importStdMd: unvalidated localPath imports arbitrary host directories as persistent notes
### Summary
POST /api/import/importStdMd passes the localPath parameter directly to model.ImportFromLocalPath with zero path validation. The function recursively reads every file under the given path and permanently stores their content as SiYuan note documents in the workspace database, making them searchable and accessible to all workspace users.
### Details
File: kernel/api/import.go - function importStdMd
```go
func importStdMd(c *gin.Context) {
notebook := arg["notebook"].(string)
localPath := arg["localPath"].(string)
toPath := arg["toPath"].(string)
err := model.ImportFromLocalPath(notebook, localPath, toPath)
}
```
model.ImportFromLocalPath (kernel/model/import.go:784):
```go
func
GHSA
SiYuan importStdMd: unvalidated localPath imports arbitrary host directories as persistent notes
ghsa·2026-03-16
CVE-2026-32750 [MEDIUM] CWE-22 SiYuan importStdMd: unvalidated localPath imports arbitrary host directories as persistent notes
SiYuan importStdMd: unvalidated localPath imports arbitrary host directories as persistent notes
### Summary
POST /api/import/importStdMd passes the localPath parameter directly to model.ImportFromLocalPath with zero path validation. The function recursively reads every file under the given path and permanently stores their content as SiYuan note documents in the workspace database, making them searchable and accessible to all workspace users.
### Details
File: kernel/api/import.go - function importStdMd
```go
func importStdMd(c *gin.Context) {
notebook := arg["notebook"].(string)
localPath := arg["localPath"].(string)
toPath := arg["toPath"].(string)
err := model.ImportFromLocalPath(notebook, localPath, toPath)
}
```
model.ImportFromLocalPath (kernel/model/import.go:784):
```go
func
No detection rules found.
No public exploits indexed.
2026-03-19
Published